Frequently Asked Questions

Q: What is SBAB's Developer Portal?

SBAB's Developer Portal is an open API platform that lets you explore the various products of household finance offered by SBAB in a production like environment.
The static test data and endpoints are called the Sandbox.

Q: What data does the SBAB Development Portal contain?

Our sandbox environment contains static test data with the same data structure that is used in production. You are free to test all endpoints available and the documentation covers both sandbox as well as production environment.

Q: How do I test Sandbox APIs?

In our get started-section, you will find the information you need to start use the APIs in our sandbox environment.

Q: Is it associated with any costs to use the SBAB Development Portal?

No, it’s free! But please note that some APIs may incur a fee to allow access to the production environment.

Q: How do I login?

Q: Can I use my Sandbox bearer token in the production environment?

No. In the production environment, you use a different authorization scheme. Read more about this under the auth section in the documentation.

Q: Why should I use a PSD2 certificate in the sandbox?

If you want to test the PSD2 authentication flow in the sandbox, it will be easy to integrate with our production environment since it is the same flow and the same business objects.

Q: How is the authorization/authentication done in the sandbox?

First you need to ask for a pending access code and then exchange the pending code to an access token. More info can be found under the Auth Product documentation, as well as working examples.

Q: How do I find the PSP authorization number used for onboarding?

It is stored in your client certificate information and is a part of the principal DN, tagged tagged with 'OID.2.5.4.97' and with a value like 'PSDSE-FINA-32017'. The complete string must be given in the onboarding process. Check with your security department if unsure how to find the value in the client certificate.

Q: How do I get access to production data?

Please login and apply for production access by clicking on 'Apply for production access' button or contact us for further dialog/access to production environment.
Please also note that access to production data via the SBAB Bank API is a strictly B2B matter and requires that the applicant represents a corporate with relevant permission from the National Competent Authority (in Sweden: Finansinspektionen). There are currently no opportunities for private persons to develop services based on the SBAB Bank API.

Q: Something seems to be wrong with my bearer token, I get a 401 Error: unauthorized

Make sure that you send in the complete token including Bearer ('Bearer xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxxxx') in the key authorization

Only send in the Bearer once in your call.

This is valid for both calls to the Sandbox and calls to the Production environment. Note however that a token used in production can never be used in the Sandbox, and vice versa.

Q: What’s the difference between a refresh token an access token?

An access token is valid for a session of 30 minutes if an authentication has been used. The refresh token is valid for 90 days and can be used for exchange of new access token up to 4 times per day before the refresh token expires.
Note that an access token issued from a refresh token is only valid for 5 min. This flow is initiated through the authorization flow.

Q: How often can I use the refresh token?

It’s limited to 4 times per day and each access token is valid for 5 minutes.

Q: What happens when my refresh token expires?

You need to use the authorize endpoint again.

Q: Why are there two endpoints, authorize and authenticate, to get an access token?

Both authorize and authenticate endpoints returns a pending code in step 1. When in step 2 calling the token endpoint with the pending code, a previous authorize endpoint call returns both an access token and refresh token. A previous authenticate endpoint call only returns the access token. Note that the pending code is used to retrieve the access token once the end user has signed.

Q: Why do I want the refresh token?

To access end user data without end user interaction.

Q: What do I do when I get an HTTP status 403 with "kyc_questions_not_completed"?

Q: How can I test that our flow with SBAB works in production?

If you have access to the production client certificate, you can verify if the handshake is completing successfully with the following command:
curl --cert path/to/cert -v https://psd.sbab.se/psd2/auth/1.0/authorize